In its judgment delivered on 9th April 2025 in the case of Abacus Parenteral Drugs Ltd v. Stanbic Bank (U) Ltd (HCCS No. 0322 of 2022), the High Court of Uganda further developed the principles established in the case of Aida Atiku versus Centenary Rural Development Bank Limited Civil Suit No. 0754 of 2020. The Court found that the responsibility to prevent fraud in online banking transactions is shared between the bank and the customer, and both parties are bound by the terms of their banking contract.
The ruling underscores the evolving nature of corporate banking in the digital era, where both parties must collaborate to ensure transaction security and minimize fraud risks.
Background
The defendant, enrolled in the bank’s online banking platform for managing salary payments and financial reconciliations. Between 2015 and 2018, the customer claimed to have lost over UGX 2.2 billion due to unauthorized transfers initiated via this platform. The defendant’s claim was that the bank breached its Business Online Agreement by processing payment instructions with discrepancies, such as mismatched account names and numbers, and failing to flag these errors.
The bank denied liability, emphasizing the platform’s design as a customer-controlled system, where clients initiate, verify, and approve transactions. The bank argued that the customer's internal failures, including using a single officer for both initiation and authorization of transactions, failure to monitor account activity, and breaches of security protocols, were the primary causes of the loss.
Court found that although the platform was customer-controlled, the bank failed to implement adequate fraud detection systems and overlooked red flags, such as mismatched account details (the account name and account number), which was a breach of its contractual duty. However, the Court held the customer primarily liable, as it failed to maintain proper internal controls, including segregating roles for transaction initiation and authorization. The Court ruled that UGX 1,697,783,222 of the loss was proven and apportioned liability, with the bank liable for 20% (UGX 339,556,644) and the customer for 80%. The Court concluded that Abacus, due to its control over system access and internal processes, was in the best position to prevent the fraud.
Legal Implications of the Decision
- Extending the Atiku Principle to Corporate Clients: Dual Responsibility in Digital Banking Fraud: fraud prevention in digital banking is a shared legal responsibility. Courts will assess which party—bank or client—was best positioned to prevent the fraud and assign liability accordingly.
- Binding Nature of the Bank-Customer Agreement: Every Clause Matters: Court reaffirmed that the bank-customer relationship is fundamentally contractual, and both parties are bound by the specific terms of their agreement. In this case, the bank’s duty to reject erroneous instructions was contractually mandated and enforceable. Likewise, customers must understand and proactively fulfill their obligations—particularly around transaction validation, adherence to security protocols, and prompt reporting of suspicious activity.
- Corporate Clients Must Maintain Internal Controls for Online Banking Transactions: Courts will hold corporate customers contributorily liable for losses arising from failures that breach security protocols agreed in its online banking agreement.
- Interpretation of limitation of liability clauses: limitation of liability clauses in bank-customer agreements cannot automatically shield banks from liability, particularly when their wording and context are ambiguous. Ambiguity in such clauses can expose banks to greater legal risks, as courts are unlikely to uphold them if they do not meet a clear, provable standard.
- Apportionment of Liability Based on Comparative Negligence: Court adopted a nuanced comparative negligence approach to apportion liability for the fraud, which reflects the growing recognition that fraud prevention is a shared duty between banks and their customers, and liability should be allocated based on the level of negligence and control each party had over the transaction occasioning the fraud.
Conclusion
The High Court’s decision in Abacus Parenteral Drugs Ltd v. Stanbic Bank has reshaped the legal landscape of digital banking fraud in Uganda. Unlike the earlier Aida Atiku v. Centenary Bank case—which placed sole liability on the account-holder for negligence—this ruling introduces a more balanced and commercially realistic approach: shared responsibility based on comparative fault.
This shift acknowledges that digital fraud is a complex and evolving risk that demands joint effort from both banks and clients. For banks, the message is clear: secure systems alone are insufficient. Proactive intervention, transparency, and meaningful client support are now critical duties. For clients, the standard has equally evolved—negligence through inadequate oversight or failure to monitor transactions may significantly reduce the chances of recovery in fraud-related losses.
By extending the principles established in Aida Atiku, this case reinforces a core truth of modern digital finance: fraud prevention is a shared obligation, and liability will rest with the party best positioned to prevent the harm.
--
Read the original publication at MMAKS Advocates
